Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7367:bf1ac3dc1e68
SSL: fixed segfault on renegotiation (ticket #1646).
In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled
if SSL_OP_NO_RENEGOTIATION is available. But since SSL_OP_NO_RENEGOTIATION
is only set on a connection, not in an SSL context, SSL_clear_option()
removed it as long as a matching virtual server was found. This resulted
in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8),
affecting nginx built with OpenSSL 1.1.0h or higher.
To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in
ngx_http_ssl_servername() after adjusting options. Additionally, instead
of c->ssl->renegotiation we now check c->ssl->handshaked, which seems
to be a more correct flag to test, and will prevent the segmentation fault
from happening even if SSL_OP_NO_RENEGOTIATION is not working.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 02 Oct 2018 17:46:18 +0300 |
parents | 1812f1d79d84 |
children | 0f0c75caa038 |
comparison
equal
deleted
inserted
replaced
7366:7bf3c323cb6e | 7367:bf1ac3dc1e68 |
---|---|
852 return SSL_TLSEXT_ERR_NOACK; | 852 return SSL_TLSEXT_ERR_NOACK; |
853 } | 853 } |
854 | 854 |
855 c = ngx_ssl_get_connection(ssl_conn); | 855 c = ngx_ssl_get_connection(ssl_conn); |
856 | 856 |
857 if (c->ssl->renegotiation) { | 857 if (c->ssl->handshaked) { |
858 return SSL_TLSEXT_ERR_NOACK; | 858 return SSL_TLSEXT_ERR_NOACK; |
859 } | 859 } |
860 | 860 |
861 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | 861 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |
862 "SSL server name: \"%s\"", servername); | 862 "SSL server name: \"%s\"", servername); |
917 SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) & | 917 SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) & |
918 ~SSL_CTX_get_options(sscf->ssl.ctx)); | 918 ~SSL_CTX_get_options(sscf->ssl.ctx)); |
919 #endif | 919 #endif |
920 | 920 |
921 SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx)); | 921 SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx)); |
922 | |
923 #ifdef SSL_OP_NO_RENEGOTIATION | |
924 SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION); | |
925 #endif | |
922 } | 926 } |
923 | 927 |
924 return SSL_TLSEXT_ERR_OK; | 928 return SSL_TLSEXT_ERR_OK; |
925 } | 929 } |
926 | 930 |